Microsoft addressed the vulnerability - which affects both consumer and business versions of the feature - in its July Patch Tuesday update. Researchers have no evidence that anyone has tried or used the attack in the wild, but someone with motive could potentially use it on a targeted espionage victim, such as “a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example,” according to the analysis. The Windows Hello bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it, according to researchers at CyberArk Labs who discovered the flaw in March.įrom there, they can go on “to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host,” Omer Tsarfati, cybersecurity researcher at CyberArk Labs, wrote in a report about the vulnerability published Tuesday.įurther, exploitation of the bypass can extend beyond Windows Hello systems to “any authentication system that allows a pluggable third-party USB camera to act as biometric sensor,” Tsarfati noted. According to Microsoft, about 85 percent of Windows 10 users use the system.
.png "windows hello devices")
Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, using a PIN code or biometric identity-either a fingerprint or facial recognition-to access a device or machine. A vulnerability in Microsoft’s Windows 10 password-free authentication system has been uncovered that could allow an attacker to spoof an image of a person’s face to trick the facial-recognition system and take control of a device.
0 kommentar(er)
